SSL VPN Overview

SSL VPN (Secure Sockets Layer Virtual Private Network) allows users to remotely access restricted network resources via a secure and authenticated pathway by encrypting all network traffic and giving the appearance that the user is on the local network, regardless of geographic location. This protocol achieves a higher level of compatibility with client platforms and configurations for remote networks and firewalls, providing a more reliable connection. While Northwestern University Information Technology (NUIT) continues to offer its traditional VPN to the University community at large, SSL VPN is the next generation of VPN service.

Who Can Use SSL VPN
SSL VPN allows access to administrative systems, critical infrastructure, and sensitive information maintained by system administrators. SSL VPN access can be granted to University system administrators as well as vendors and other external collaborators, provided that the user has a valid NetID and password and is in an LDAP (Lightweight Directory Access Protocol) group with SSL VPN access.

Options

There are two SSL VPN options (Note: Enabled features will be determined by user need and the nature of applications and resources that need to be accessed):

• Web Proxy — Users access all available resources through a web-based interface. Resources appear as bookmarks on the SSL VPN start page and secure access is granted as though the user is using an internal IP address. Through this interface, users can access web-based applications, use file sharing, remote desktop/Citrix (Windows Only), and Telnet/SSH. Any computer with a web browser should allow you to access SSL VPN Web Proxy, and because you are working in a web interface, University resources are protected from any malware that may be on the computer, adding extra security.
  
• Network Connect — Users download a local VPN client that uses the SSL protocol and do not need to work through the web interface, providing additional connectivity if necessary. The Network Connect client is assigned a unique IP address from a role-specific pool of addresses, rather than the IP address that is used by Web Proxy connections. Network Connect enables split tunneling, which restricts traffic on the Northwestern network to Northwestern data and ensures all other data bypasses University systems. The SSL VPN client will be automatically updated whenever an updated version is detected.

Advanced Features

Additional advanced features are available based on user need.

• Endpoint Security Compliance — Checks a connecting computer to make sure it complies with a set of particular rules before allowing a user to log in to SSL VPN. Rules can include making sure that anti-virus definitions are current, checking for particular Windows configurations, scanning for a particular text file located in a specific location, or other system requirements.
  
• Source IP/Date/Time Restrictions — Restricts access based on location, such as no access allowed from foreign countries, or date/time, such as no access between midnight and 6 a.m. while back-ups are being made.
  
• Cache Cleaning — (Windows only) Deletes all temporary files upon logging out of SSL VPN.
  
• Virtual Sandbox User Environment — (Windows only) Configures the user's desktop automatically, preventing unauthorized access to files and applications while connected to SSL VPN; deletes temporary files and restores desktop functionality upon logging out of SSL VPN.

Requirements

Access to online resources through SSL VPN is based on LDAP groups. NUIT must establish groups and configure resource access. The local group administrators are responsible for managing the membership of the LDAP groups.

Ordering

To order SSL VPN service an authorized university work order contact must submit an order online via the CONDUITS Online Order Form.

All orders must include the following information:

• Contact name and phone number
• Department
• Location of servers to be accessed through SSL VPN
• Number of servers to be accessed through SSL VPN
• IP addresses and domain names of servers to be access through SSL VPN

Answer the following questions when requesting SSL VPN service:

• Do you have an LDAP group established for the users who need SSL VPN access?
• How many users do you anticipate needing access?
• How many users are you expecting to connect simultaneously?
• What services are you interested in providing through SSL VPN?
• What specific resources are you interested in protecting through SSL VPN?
• Are any of the resources you are interested in protecting currently behind a hardware firewall?
• Will you require a custom IP address for Web Proxy-based services?

A network engineer from NUIT will contact the department to discuss and evaluate specific SSL VPN needs. For questions about ordering this service, call User Services at 847-467-5560.